b"AUDIT OF PERSONNEL ACTION PROCESSING CONTROLS AND\n                     SECURITY\n\n\n\n                 Audit Report No. 99-028\n\n\n\n\n                OFFICE OF AUDITS\n\n           OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                           1\n\x0cFederal Deposit Insurance Corporation                                                              Office of Audits\nWashington, D.C. 20429                                                                Office of Inspector General\n\n\n\n   DATE:                 July 29, 1999\n\n   TO:                   Donald C. Demitros, Director\n                         Division of Information Resources Management\n\n                         Arleas Upton Kea, Director\n                         Division of Administration\n\n\n\n\n   FROM:                 Steven A. Switzer\n                         Deputy Inspector General\n\n   SUBJECT:              Audit of Personnel Action Processing Controls and Security\n                         (Audit Report No. 99-028)\n\n   The Office of Inspector General (OIG) has completed an audit of controls and security over\n   personnel action processing, an activity that includes the management of comprehensive data files on\n   individual employees. These data originate from numerous events that an individual experiences\n   during his/her employment with the federal government, such as organizational changes and changes\n   in pay and benefits. An employee\xe2\x80\x99s record may include over 100 data elements, and the integrity of\n   this data must be preserved over the employee\xe2\x80\x99s federal government career.\n\n\n\n   BACKGROUND\n\n   FDIC\xe2\x80\x99s processing of personnel actions is performed using information systems operated by the\n   FDIC and the United States Department of Agriculture (USDA) National Finance Center (NFC)\n   located in New Orleans, Louisiana. The FDIC\xe2\x80\x99s Personnel Action Request System (PARS)\n   collects the necessary information to generate a personnel action from both the requesting office\n   and the Personnel Services Branch (PSB). The combined information is electronically\n   transmitted to the NFC computer facility which, in turn, updates its database and transmits a\n   completed Notification of Personnel Action (SF-50) back to the FDIC. PSB then places the form\n   in the employee\xe2\x80\x99s Official Personnel Folder and forwards a copy to the employee and the\n   originating office.\n\n   Computer security for the NFC systems is provided through the use of mainframe access control\n   software that is used to control which NFC application systems a specific operator can access.\n   FDIC\xe2\x80\x99s mainframe access control software is used to control which individuals may initiate or\n   update requested personnel actions through PARS. Approvals of requested personnel actions are\n   controlled by PARS accepting only those approval messages transmitted via Email from\n   designated users. PARS uses specialized, purchased software to perform this function.\n\x0cDIRM and the Division of Administration (DOA) recently initiated a project to provide the FDIC\nwith an integrated personnel management system that will replace PARS and other personnel-\nrelated systems. FDIC management plans to implement the Corporate Human Resource\nInformation System (CHRIS) using commercial off-the-shelf software to provide personnel\naction support, time and labor processing, position management, vacancy announcement tracking,\nbenefits tracking, and performance management.\n\nPersonnel action processing was previously addressed by the OIG in an audit of the FDIC\xe2\x80\x99s\ncombined personnel and payroll functions and an audit of general information systems security in\nthe FDIC Dallas regional office. The report resulting from the combined personnel and payroll audit\nwas entitled Information Systems Audit of Payroll and Personnel Systems and was issued on April\n25, 1995. This report concluded that the various systems for processing payroll and personnel\ntransactions had security weaknesses and that certain controls related to payroll processing needed to\nbe strengthened. The report recommended changes in the review and approval process for assigning\naccess privileges to the Corporation\xe2\x80\x99s systems, utilities, and databases. Management agreed with the\nreport\xe2\x80\x99s recommendations and our review did not identify similar concerns. In addition, a recent\naudit report entitled Information Systems Security \xe2\x80\x93 Dallas (Audit Report No. D98-087) identified\nweaknesses in the administration of access privileges for PARS that resulted in access privileges for\nan excessive number of individuals. The report recommended actions to ensure that privileges were\nbased on need. Dallas management took actions to effectively address the recommendations.\n\nDOA has performed internal control assessments of areas related to personnel services. The\nassessments were performed to evaluate access controls for the Vacancy Tracking System, coding\nand input accuracy for personnel actions, and controls over employee benefit information. The\ninformation obtained during these assessments was used to improve controls and data accuracy.\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objectives of the audit were to determine the adequacy of information systems processing and\nsecurity controls over the origination and maintenance of individual employee personnel data related\nto personnel actions. Our audit was limited to the portion of the process performed by PSB at its\nheadquarters and field locations in Dallas, Texas; and Atlanta, Georgia; and included tests of PARS\nprocess controls. We did not perform tests of the NFC process controls because these systems fall\nunder the purview of the USDA OIG.\n\nWe performed a risk analysis to assess the adequacy of personnel action processing controls. We\nidentified the existing control procedures by reviewing systems documentation and existing\nprocedures and by interviewing PSB personnel. For each control risk, we identified and evaluated\nthe effectiveness of existing controls. We tested the effectiveness of the control procedures by\nreviewing a sample of transactions and conducting tests of certain computerized controls provided\nby PARS at PSB offices in Washington, D.C.; Dallas, Texas; and Atlanta, Georgia. We performed\nour transaction reviews by judgmentally sampling transactions from the NFC database and\ncomparing this information to source documents contained in employees\xe2\x80\x99 Official Personnel Folders.\nOur sample consisted of 99 employees in Washington, D.C.; 69 in Dallas, Texas; and 48 in Atlanta,\nGeorgia. For each employee in our sample, we determined whether personnel actions processed\nduring the 12-month period ending September 30, 1998 were adequately supported and timely\n\n\n                                                 2\n\x0cprocessed.\n\nTo assess the adequacy of security controls, we reviewed systems access lists for PARS and the NFC\npersonnel processing systems. During our review of access privileges, we considered the individual\nemployee\xe2\x80\x99s need to access and/or change personnel data and the type of system functions that should\nbe permitted to ensure appropriate separation of duties. We also evaluated PARS security\ninfrastructure to determine whether unauthorized users could circumvent existing controls. We\nperformed our evaluation by reviewing security tables in the ACF2 access control software and in\nthe DB2 database system.\n\nWe conducted the audit between September 1998 and January 1999 in accordance with generally\naccepted government auditing standards.\n\n\nRESULTS OF AUDIT\n\nPSB developed and implemented a number of processes to enhance data integrity, including a well-\nadministered data verification program that involves periodically sending staffing tables to all\nDivisions and Offices for verification and correction, followed by rigorous follow up to ensure a\ntimely and thorough effort by the Divisions and Offices. Further, PSB\xe2\x80\x99s processing of personnel\nactions was generally performed in a timely manner and employees\xe2\x80\x99 Official Personnel Folders were\ngenerally complete and well-maintained.\n\nOur comparison of NFC data to records contained in the Official Personnel Folders of 216 FDIC\nemployees identified some discrepancies. For example, we noted seven Service Computation Date\n(SCD) changes that were not supported by a Request for Personnel Action (SF-52). Additionally,\nwe noted that the 105 employee award transactions in our sample did not receive post-processing\nreviews. We were unable to fully quantify the accuracy of personnel data processed because PSB\ndid not maintain copies or images of SF-52s, as submitted by the requesting FDIC organization and\nprior to modification by PSB.\n\nFDIC needs additional procedures, processes, and controls to more fully protect personnel database\nfiles from unauthorized browsing and intentional or inadvertent unauthorized changes. Additional\ncontrols are needed for direct file updates performed by PSB and NFC because these transactions are\nperformed without standardized source documents and, therefore, are not subject to PSB\xe2\x80\x99s\nreconciliation procedures. Additionally, PSB\xe2\x80\x99s document matching process was limited in its\neffectiveness because requests submitted by offices and divisions remained electronically modifiable\nby PSB and were printed as official documents only after PSB completed all changes and\ntransmitted the documents electronically to NFC. The lack of historical source documentation, as\nsubmitted by the originating office, precluded our ability to determine the extent to which this\ncontrol weakness resulted in actions not intended by the originating organization.\n\nDIRM and PSB need to improve access controls for PARS, and PSB needs to more closely limit\naccess to the NFC systems that it uses to better prevent unauthorized access to sensitive data and\nto enhance controls through separation of incompatible duties. Access controls were hindered by\nthe lack of current listings identifying employees\xe2\x80\x99 access privileges. This lack of information\nwas instrumental in FDIC\xe2\x80\x99s continued assignment of unnecessary access authorities to PARS and\n\n\n                                                 3\n\x0cits related data. Security was further diminished because at least 10 employees who, although\nthey were not assigned access to PARS, could inappropriately access PARS data directly.\nFinally, FDIC\xe2\x80\x99s overall security over corporate data was reduced by the existence of a general\nuse, systems level user identification (ID) and password combination originally intended for\ntraining purposes. This generic ID and password combination was not assigned to an individual,\nthereby eliminating accountability, and provided the ability to access all mainframe data files,\nincluding operating system files.\n\nMany of the recommendations contained in this report are directed at improving PSB and DIRM\ncontrol procedures. PSB stated its commitment to such improvements as part of its plan to engage a\ncontractor to fully document its operating procedures. Further, DIRM took action during the audit to\ncorrect all of the security concerns that we reported to them.\n\n\nCERTAIN CONTROL PROCEDURES NEED TO BE STRENGTHENED\n\nPSB can strengthen certain controls to ensure the accuracy and appropriateness of some types of\ntransactions. PSB\xe2\x80\x99s primary control over the creation and modification of employee data was the\nmatching of source documents, SF-52, with output documents, SF-50. However, some\ntransactions such as master file updates performed by NFC, data updates performed by PSB, and\nemployee awards were not subjected to the matching process or compensating control processes.\n\nPSB did not perform document matching for these types of transactions because they were not\noriginated by SF-52s created through PARS and transmitted electronically to NFC. Instead,\nthese transactions were entered directly into the NFC Personnel Action Processing System\n(PACT) by PSB or directly into the data base files by NFC, bypassing both PARS\xe2\x80\x99 controls and\nPSB\xe2\x80\x99s reconciliation controls. PACT is the main online remote entry system used to forward\npersonnel actions to NFC. The Master File updates made by NFC and the PACT update\ntransactions made by PSB were in particular need of compensating controls because, in addition\nto not being subjected to a reconciliation process, they were not supported by an audit trail.\n\nMaster File updates by NFC are infrequent and none were noted in our audit sample. The data\naffected are computer-derived, in the form of cumulative totals on elapsed days of employment,\nused to determine the achievement of milestones related to probationary periods and particular\nterms of appointment. However, because changes to these data are not reconciled or subject to\nan audit trail, other controls mechanisms are needed to ensure the accuracy and integrity of these\ndata.\n\nCompensating controls are also needed for PSB data updates made via the PACT system Data\nUpdate screen. Although classified by NFC as unofficial changes, up to 40 different employee-\nrelated data elements can be entered or modified through the Data Update screen without a\nrecord of the action, including probationary period start date, grade retention expiration date,\nannual leave category, and Thrift Savings Plan eligibility code.\n\nEmployee awards were also not processed through PARS, but were input directly to PACT\nwithout the preparation of an SF-52. Instead, PSB employees prepared voucher sheets listing the\n\n\n                                                 4\n\x0caffected employees and their respective award amounts. However, PSB had not established a\npre- or post-processing review using the voucher sheets, and the transactions were not recorded\nin an audit trail.\n\nSound internal control practices dictate that transactions should be adequately controlled to ensure\nproper authorization, input, and processing. Without such controls, PSB cannot be assured that its\nrecords and related personnel actions are accurate and appropriate. We were unable to determine\nthe extent to which the lack of such controls contributed to inaccuracies in personnel records\nbecause PSB did not maintain source documentation for all transactions.\n\n\nRecommendation\n\nWe recommend that the Director, Division of Administration,\n\n(1)    Develop procedures to ensure the integrity of NFC-generated, PACT-generated, and\n       employee award transactions.\n\n\nSUPPORT FOR PERSONNEL ACTIONS CAN BE IMPROVED\n\nPARS did not ensure that personnel actions were fully documented. When processing a request\nfor a personnel action, the submitting organization initiated and approved an SF-52 through\nPARS and transmitted the request to PSB. However, this document remained electronically\nmodifiable by PSB and was printed as an official document only after PSB made additions and\nmodifications and transmitted the document to NFC. Further, PARS provided PSB the\ncapability to change, without an audit trail, all SF-52 data elements, except for employee name\nand social security number.\n\nWhile we recognize that it is sometimes necessary for PSB to change SF-52s submitted by client\norganizations because of its specialized expertise and possession of information not always\navailable to the originating organization, controls are needed to ensure that requests continue to\naccurately represent the intent of the requestor. While a copy of the SF-50 is forwarded to the\nemployee and the client organization, PSB had not established a procedure requiring clients to\ncompare SF-50s with the original requests submitted through PARS.\n\nSound internal control practices dictate that all transactions are traceable to properly authorized\nsource documents and that accountability is established for data origination and changes to\nensure that erroneous or unauthorized transactions are limited and identified. Weaknesses in\nsuch control practices may result in the processing of personnel actions that are not consistent\nwith the intent of the originating organization. The extent to which this may have occurred could\nnot be determined due to the cited absence of an audit trail.\n\nWe recognize that it may not be cost beneficial to address the control weakness cited through\nchanges to PARS because DOA is currently planning to acquire and implement the Corporate\nHuman Resources Information System (CHRIS) to provide for its overall data processing\n\n\n                                                  5\n\x0crequirements, including the processing of personnel actions. However, these control weaknesses\nshould be addressed through the CHRIS project to ensure that personnel actions are properly\nauthorized and consistent with the intent of the originating organization.\n\n\nRecommendations\n\nWe recommend that the Director, Division of Administration,\n\n\n(2)    Develop written procedures, requiring submitting organizations to compare SF-52s\n       submitted to PSB to SF-50s received at the end of the process to ensure the accuracy and\n       consistency of the personnel actions processed and report the results to PSB.\n\n(3)    Ensure that the CHRIS subsystem intended to replace PARS incorporates the capability\n       to preserve a permanent image or record of the original SF-52 submitted by the\n       requesting organization and provides an audit trail of changes and additions made to the\n       request.\n\n\nSUPPORT FOR CHANGES IN SERVICE COMPUTATION DATES CAN BE IMPROVED\n\nPSB had not established controls that ensured the integrity of SCD data. PSB must initiate SCD\nchanges when it identifies an error in the originally entered date. This generally occurs when an\nincorrect date is reported from an employee\xe2\x80\x99s prior agency. SCD changes are generally\noriginated by PSB and not based on an SF-52 received from a submitting organization.\nOf the personnel data changes originated by PSB, changes in SCD are one of the more critical in\nterms of impact because they affect employee benefits such as amount of annual leave earned\nand retirement eligibility. PSB maintained source documentation for all nine of the SCD\nchanges contained in our sample. Two SCD transactions were supported by SF-52s and seven\nwere supported by computer-generated worksheets or hand-written calculations. However, four\nof the seven transactions supported only by worksheets or manual calculations did not identify\nthe individual who prepared the supporting documentation or entered the transaction. In\naddition, only the two SCD transactions supported by SF-52s contained evidence of supervisory\nreview.\n\nSound internal control practices dictate that transactions should be supported by documentation\nidentifying the individual originating and entering the transaction and evidence of supervisory\nreview. Without such controls, PSB cannot be assured of the integrity of SCD data. We did not\ndetermine the extent to which these needed control improvements impacted the accuracy of SCD\ndata because of the general absence of SF-52s supporting these transactions and the related\ndifficulty in identifying the transactions.\n\n\n\n\n                                                6\n\x0cRecommendation\n\nWe recommend that the Director, Division of Administration,\n\n(4)    Develop procedures requiring a standard format for supporting SCD calculations and for\n       identifying the individual responsible for the calculations and that the resulting transactions\n       are input to PARS or the NFC system based on a properly approved SF-52.\n\n\nWEAKNESSES IN PARS AND NFC SECURITY ADMINISTRATION\n\nPSB can improve its procedures for controlling access to PARS and the NFC systems used to\nprocess personnel actions. PSB provided employees with PARS access authorities that reduced\ncontrols by providing, in some cases, the ability to perform incompatible functions. Further,\nPSB employees and former PSB employees who no longer had a need for such access were\nprovided access authorities to NFC systems used to process personnel actions.\n\nSecurity and control for PARS is administered through a system of control tables that determines\nwho can gain access to PARS and what functions they can perform. We identified 26\nindividuals in PSB\xe2\x80\x99s Washington, D.C., office who were provided the incompatible authorities of\nboth establishing and filling positions. Limiting the functions that a system user can perform can\nenhance controls by separating incompatible duties.\n\nFurther, we identified individuals in PSB\xe2\x80\x99s Washington D.C. office who were performing the\ncontrol function of matching input documents with output documents who were also given\nPARS privileges for creating, modifying and deleting data.\n\nThe unneeded access authorities noted were due, in part, to the lack of periodic information\navailable to PSB on assigned access authorizations for PARS. PSB had not created or requested\nthat DIRM create a report identifying PARS users and their assigned access authorities. Without\nsuch information, effective control over PARS access and related processes is difficult to attain.\n\nPSB can also improve security for personnel action processing by better controlling access to NFC\nsystems that are used in the processing of personnel actions. Ten PSB employees and four non-PSB\nemployees were assigned access authorities to NFC\xe2\x80\x99s PACT system, which provides the ability to\nmodify personnel-related data online without an audit trail of the actions performed. The\nassignment of such authorities to 10 PSB employees does not appear to be necessary due to the\nlimited use of this form of data entry and the lack of controls discussed earlier in this report. In\naddition, PSB, in not revoking PACT authorities for former PSB employees, further reduced\ncontrols over personnel action processing.\n\nSixty-three PSB employees and four former PSB employees were assigned authority to access\nNFC\xe2\x80\x99s Suspense Inquiry and Correction System (SINQ), which enables users to access transactions\nin suspense due to edit errors and make corrections. Access to error correction applications such as\nSINQ should be limited to only PSB employees who need the access to carry out their duties.\nWhile we did not determine the number of PSB employees who require such access, the assignment\nof these authorities to such a large number of employees, including employees no longer assigned to\n\n\n                                                  7\n\x0cPSB reduces controls and increases the risks to data integrity.\n\n\nRecommendations\n\nWe recommend that the Director, Division of Administration,\n\n(5)     Review the duties of each employee on the Systems Support Staff to identify those who do\n        not need access to both the Classification Review option and the Review of SF-52 option\n        and modify the system tables to provide access to only those employees who require such\n        access to perform their duties.\n\n(6)     Reassign duties and/or revise PARS access privileges so that individuals performing the\n        control function of matching input documents (SF-52s, etc.) with output documents (SF-\n        50s) are not provided the ability to create, modify, or delete data.\n\n(7)     Revoke access privileges to the NFC SINQ system for all individuals not in PSB and for\n        PSB employees who do not require such access to ensure effective and efficient SINQ\n        processing.\n\n(8)     Revoke access privileges to the NFC PACT system for individuals who are not in PSB and\n        limit the number of PSB employees to the number needed to effectively and efficiently\n        perform PACT processing.\n\n(9)    Develop, periodically distribute, and review reports identifying individuals assigned access\n       authorities related to personnel action processing. Based on these reviews, ensure that all\n       unnecessary access authorities are revoked.\n\n\nWEAKNESSES IN PARS SYSTEMS LEVEL SECURITY ADMINISTRATION\n\nDIRM had not taken action to appropriately limit direct access to PARS files. The FDIC\nmainframe access control facility (ACF2), and security features of the DB2 data base\nmanagement system are used to protect PARS from unauthorized direct file access, an activity\nwhich would effectively circumvent the PARS application level security controls. Prevention of\ndirect access to PARS files is vital the integrity and security of PARS data.\n\nACF2 protects PARS and other mainframe application systems by linking individual user\nidentifications (IDs) with specific computer resources and files. The ACF2 rules contained three\nIDs that enabled the users to directly access PARS files and perform read and update functions\nwithout being subjected to the controls provided by the PARS application system. The identity\nof all individuals using the IDs could not be determined because one of the IDs was assigned\ngenerically rather than to a specific user. The ID was created for general purpose training use\nand was not revoked when it was no longer needed. Consequently, anyone using this ID could\nbypass the accountability controls that would identify the persons responsible for any actions\ntaken. Because the training ID was inadvertently linked with DIRM Production Control Unit\n\n\n                                                  8\n\x0cprivileges, persons using this ID could read or edit all data residing on the FDIC\xe2\x80\x99s mainframe\nwithout being held accountable for their actions. This security exposure was further\ncompounded because a user of this ID could also edit operating system files and, therefore,\nmanipulate mainframe operations, including bringing about a system shutdown without detection\nor accountability.\n\nIn addition to the overly powerful ID issued for training purposes, the ACF2 rules contained\nanother ID with direct access to PARS files, which was issued to an employee in the Division of\nFinance. The ID was included in a group ID intended for the DIRM database administration\ngroup and, therefore, had read and update privileges to most FDIC mainframe data. Finally, the\nACF2 rules contained an ID that was issued to a DIRM contract person no longer assigned to the\nPARS project.\n\nACF2 administration, pertaining to DB2 backup datasets, can also be improved. Because ACF2\ntables did not include a rule concerning the backup datasets, a default rule applied that gave read\nand update privileges to 77 individuals in four DIRM operating groups that should not have been\nprovided these capabilities. Thus, these individuals could read sensitive personnel data. Some\nof these individuals were also provided the capability to improperly modify the backup data files.\n\nSimilar to ACF2, the FDIC\xe2\x80\x99s DB2 data base management system also has tables linking users\nwith files they are allowed to access. The DB2 tables, however, perform this function at a\ngreater level of specificity as to what data elements can be accessed. Seven individuals listed on\nthese tables had inappropriate \xe2\x80\x98read\xe2\x80\x99 access to PARS data, including one individual who had\nupdate capabilities as well. This individual, a DOS Administrative Assistant, could read and edit\nall DB2 files, bypass accountability controls, and grant similar privileges to anyone in FDIC.\n\nThese conditions were presented to DIRM during our audit. DIRM completed corrective actions\nprior to issuance of this report. Therefore, we are not making any formal recommendations\nregarding these conditions.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nWritten responses were provided by the Directors, DIRM and DOA, on June 10, 1999 and July\n9, 1999, respectively. These responses are presented in Appendices I and II of this report. The\nDirector, DIRM, confirmed in his response that all issues requiring DIRM action had been\nimplemented prior to receiving the draft report. The Director, DOA, stated that most actions\nhave either been completed or will be completed by August 15, 1999. One exception pertained\nto a recommendation regarding actions associated with the implementation of a system to replace\nPARS (recommendation 3). DOA officials indicated that this recommendation would be\nimplemented by July 1, 2001. DOA\xe2\x80\x99s response expressed disagreement with a proposed\nrecommendation contained in the draft report regarding reducing the number of individuals\nassigned system administrator privileges. DOA\xe2\x80\x99s response also indicated only partial\nconcurrence with recommendation 2. In a subsequent meeting, DOA prepared and presented\ndocumentation indicating that six of the ten individuals cited in the draft report as having system\nadministrator authorities had reduced administrative capabilities. We confirmed this statement\n\n\n                                                9\n\x0cand, therefore, removed this finding and recommendation from the final report. During this\nmeeting, DOA officials also agreed to fully implement recommendation 2 and provided a\nplanned completion date of August 15, 1999.\n\nThe Corporation\xe2\x80\x99s responses to the draft report provided the elements necessary for management\ndecisions on the report\xe2\x80\x99s recommendations. Therefore, no further response to this report is\nnecessary. Appendix III presents management\xe2\x80\x99s proposed action on our recommendations and\nshows that there is a management decision for each recommendation in this report.\n\n\n\n\n                                              10\n\x0c                                                                                                    APPENDIX I\n\nCORPORATION COMMENTS \xe2\x80\x93 DIVISION OF INFORMATION RESOURCES\n                       MANAGEMENT\nFDIC\nFederal Deposit Insurance Corporation\n3501 North Fairfax Drive. Arlington, VA 22226        Division of Information Resources Management\n\n                                                              June 10, 1999\n\n\nMEMORANDUM TO:                         David H. Loewenstein\n                                       Assistant Inspector General\n\n\n\n\nFROM:                                  Donald C. Demitros, Director\n                                       Division of Information Resources Management\n\nSUBJECT:                               DIRM Management Response to the Draft OIG Report Entitled,\n                                       Audit of Personnel Action Controls and Security\n                                       (Audit Number 98-904)\n\n\nThe Division of Information Resources Management (DIRM) has reviewed the draft audit report\nand agrees with the findings. We would like to thank the OIG staff for working so effectively\nwith the DIRM ISS staff during this audit. Although no formal recommendations were identified\nfor DIRM, there were a number of necessary corrective actions that were identified by the OIG\nand completed by DIRM prior to the issuance of this draft report. Each condition and the\nassociated corrective actions are identified below.\n\nWEAKNESSES IN PARS SYSTEMS LEVEL SECURITY ADMINISTRATION\n\n\xe2\x80\xa2   DIRM had not taken adequate actions to limit direct access to PARS files. The ACF2 tables\n    contained three IDs which enabled the users to directly access PARS files and perform read\n    and update functions without being subjected to the controls provided by the PARS\n    application system. Two of the IDs also allowed access to most FDIC production datasets.\n\n    Corrective Action Taken: 10/28/98 \xe2\x80\x93 The identified DIRM contractor who was no\n                             longer assigned to PARS was removed from the UID.\n\n                                       10/28/98 \xe2\x80\x93 The identified DOF employee with inappropriate access\n                                       to PARS was removed from the UID.\n\n                                       10/29/98 - The general purpose training ID was removed from the\n                                       Production Control UID.\n\n\n\n                                                       11\n\x0c\xe2\x80\xa2     ACF2 tables did not include a rule concerning the backup datasets, a default rule applied that\n      gave read and update privileges to 77 individuals in four DIRM operating groups that should\n      not have been provided these capabilities.\n\n      Corrective Action Taken: 12/11/98 - The \xe2\x80\x98write\xe2\x80\x99 access for the DB2 back-up datasets\n                               was limited to production control and two people in the DIRM\n                               General Systems Support Unit\n\n                                DIRM ISS reviewed all ACF2 corrective actions again 3/31/99 and\n                                all issues had been resolved.\n\n\xe2\x80\xa2     Seven individuals listed on these (DB2) tables had inappropriate \xe2\x80\x98read\xe2\x80\x99 access to PARS data,\n      including one individual who had update capabilities as well.\n\n      Corrective Action Taken: 3/24/99 - The identified individual with update capability\n                               was removed from the group_id PAR.\n\n                                4/8/99 - The six identified individuals with \xe2\x80\x98read\xe2\x80\x99 access\n                                were deleted from the secondary IDs.\n\n\nPlease address any questions to DIRM\xe2\x80\x99s Audit Liaison, Rack Campbell, on 516-1422.\n\ncc:      Vijay Deshpande, OICM\n         Janet Roberson, DIRM RMB\n         Sunil Porter, DIRM ISS\n\n\n\n\n                                                  12\n\x0c                                                                                          APPENDIX II\n\nCORPORATION COMMENTS \xe2\x80\x93 DIVISION OF ADMINISTRATION\n\n\n    Federal Deposit Insurance Corporation\n          th\n    550 17 Street, NW, Washington, D.C. 20429                         Division of Administration\n\n\n\n                                                JULY 09, 1999\n\nMEMORANDUM TO:                      David H. Lowenstein\n                                    Assistant Inspector General\n\n\nFROM:                               Arleas Upton Kea\n                                    Director\n\nSUBJECT:                            Management Response on Draft Report Entitled Audit of\n                                    Personnel Action Controls and Security\n\nThe Division of Administration (DOA) has completed its review of the draft report issued by the\nOffice of the Inspector General (OIG) entitled \xe2\x80\x9cAudit of Personnel Action Controls and Security\xe2\x80\x9d\n(audit number 98-904). DOA appreciates the study performed by the OIG. As noted in the OIG\nreport, DOA PSB is committed to making improvements in documenting its operating\nprocedures. Overall, DOA agrees with the report's conclusions.\n\nDOA has evaluated each of the report recommendations and provides the following proposed\nmanagement decisions for your review.\n\nMANAGEMENT DECISION\n\nRecommendation 1: Develop procedures to ensure the integrity of NFC-generated, PACT-\ngenerated, and employee award transactions.\n\nManagement Response 1: DOA concurs with this recommendation. PSB has developed\nprocedures to enhance data integrity with respect to master file updates performed by NFC, data\nupdates performed by PSB, and employee award transactions.\n\nRecommendation 2: Develop written procedures, requiring submitting organizations to\ncompare SF-52s submitted to PSB to SF-50s received at the end of the process to ensure the\naccuracy and consistency of the personnel actions processed and report the results to PSB.\n\nManagement Response 2: DOA concurs in part with the recommendation. It is the current\nbusiness practice among the Division/Office Administrative Staffs to routinely compare the\nPersonnel Action Requests (PARS) to the SF-50s to ensure that actions are properly processed.\nIn addition, a Sr. Personnel Staffing Assistant reviews for accuracy all SF-50s by comparing\n\n\n                                                        13\n\x0cthem to the SF-52 and supporting documentation. Furthermore, employees act as a\ncompensating control by evaluating the SF-50 upon receipt. We believe that these actions\naddress the intent of the recommendation.\n\nRecommendation 3: Ensure that the CHRIS subsystem intended to replace PARS incorporates\nthe capability to preserve a permanent image of the original SF-52 submitted by the requesting\norganization and provides an audit trail of changes and additions made to the request.\n\nManagement Response 3: DOA concurs with the recommendation. The CHRIS subsystem\nwill incorporate the capability to track all changes to a personnel action from the original request\nto the final processed action submitted by the Servicing Personnel Office. The information will\nbe retained in the database as a permanent record for a specified time.\n\nRecommendation 4: Develop procedures requiring a standard format for supporting SCD\ncalculations and for identifying the individual responsible for the calculations and that the\nresulting transactions are input to PARS or the NFC system based on a properly approved SF-52.\n\nManagement Response 4: DOA concurs with the recommendation. Personnel Assistants will\nuse the FRC Retirement Calculator to determine the SCD\xe2\x80\x99s (Leave, Retirement and RIF) for all\nnew employees, including those who come to FDIC from another Federal Agency. The\ninformation sheet will be filed in the employee\xe2\x80\x99s OPF. Additionally, PSB will require the\nPersonnel Assistant to sign the information sheet and have the information reviewed by the\nPersonnel Specialist before the sheet is filed in the OPF. The information sheet will show the\nemployment dates used to calculate the SCD, the name of the Personnel Assistant who prepared\nthe sheet, and the Personnel Specialist who reviewed it. We anticipate that this practice will be\nimplemented by August 1, 1999.\n\nRecommendation 5: Review the duties of each employee on the Systems Support Staff to\nidentify those who do not need access to both the Classification Review option and the Review\nSF-52 option and modify the system tables to provide access to only those employees who\nrequire such access to perform their duties.\n\nManagement Response 5: DOA concurs with the recommendation. A review will be made of\neach staff member\xe2\x80\x99s need to access PARS, and appropriate action will be taken. We anticipate\ncompleting this action by August 1, 1999.\n\nRecommendation 6: Reassign duties and/or revise PARS access privileges so that individuals\nperforming the control function of matching input documents (SF-52s, etc.) with output\ndocuments (SF-50s) are not provided the ability to create, modify, or delete data.\n\nManagement Response 6: DOA concurs with the recommendation. A review will be made to\ndetermine the level of access to PARS required by each staff member, and appropriate action\nwill be taken. We anticipate completing this action by August 1, 1999.\n\n\n\n\n                                                14\n\x0cRecommendation 7: Reduce the number of PSB employees assigned PARS System\nAdministration access privileges to the minimum number needed to ensure effective operation of\nprocessing personnel actions.\n\nManagement Response 7: DOA does not concur with the recommendation. We reviewed the\nroles and responsibilities for those employees who currently have system administrator\nprivileges within PARS. We find the number of personnel with administrator privileges is\nappropriate. Four of the ten individuals in PSB/Washington identified as system administrators\nare the program managers/data stewards and system administrators of PARS. The other six\nindividuals identified as system administrators are \xe2\x80\x9cUser System Administrators\xe2\x80\x9d in the\nWashington Personnel Services Section (WPSS). WPSS has three teams processing PARS\nactions. For each team, there is a primary and a backup administrator. The User System\nAdministrator function was designed to enable these WPSS teams to process or move personnel\nactions when members of the WPSS are on leave to meet processing deadlines.\n\nRecommendation 8: Revoke access privileges to the NFC SINQ system for all individuals not\nin PSB and for PSB employees who do not require such access to ensure effective and efficient\nSINQ processing.\n\nManagement Response 8: DOA concurs with the recommendation. Access for most of the\nindividuals outside of PSB has been revoked. A thorough review has been made of the\nremaining individual accesses, and a request to revoke access was prepared and sent to the\nNational Finance Center (NFC) on May 28, 1999. Certain individuals with access to NFC SINQ\nsystem will remain because the individuals perform functions (e.g., technical support, back-pay\nand settlement cases) that require access to the system.\n\nRecommendation 9: Revoke access privileges to the NFC PACT system for individuals who\nare not in PSB and limit the number of PSB employees to the number needed to effectively and\nefficiently perform PACT processing.\n\nManagement Response 9: DOA concurs with the recommendation. Access for most of the\nindividuals outside of PSB has been revoked. A thorough review has been made of the\nremaining individual accesses, and a request to revoke access was prepared and sent to the\nNational Finance Center (NFC) on May 28, 1999. Certain individuals with access to the NFC\nPACT system will remain because the individuals perform functions (e.g., technical support,\nback-pay and settlement cases) that require access.\n\nRecommendation 10: Develop, periodically distribute, and review reports identifying\nindividuals assigned access authorities related to personnel action processing. Based on these\nreviews, ensure that all unnecessary access authorities are revoked.\n\nManagement Response 10: DOA concurs with the recommendation. A quarterly review of\nPARS and NFC access has been established. Our first review was completed at the end of the\n2nd quarter 1999. We made modifications to existing PARS reports to show access information.\n\n\n\n\n                                               15\n\x0cWe will continue to seek ways to improve our personnel action controls and security and would\nappropriate changes, as deemed necessary. We thank you for this opportunity to respond to the\nreport. If you have any questions regarding the response, our point of contact for this matter is\nAndrew Nickle, Audit Liaison for the Division of Administration. Mr. Nickle can be reached at\n(202) 942-3190.\n\n\n\nCc:    Cindy Medlock\n\n\n\n\n                                               16\n\x0c                                                                                                                                       APPENDIX III\n\n                                              MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\nThe Inspector General Act of 1978, as amended, requires the OIG to report the status of management decisions on its recommendations in its semiannual\nreports to the Congress. To consider FDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance, several conditions are\nnecessary. First, the response must describe for each recommendation\n\n   \xc2\xa7   the specific corrective actions already taken, if applicable;\n   \xc2\xa7   corrective actions to be taken together with the expected completion dates for their implementation; and\n   \xc2\xa7   documentation that will confirm completion of corrective actions.\n\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons for any\ndisagreement. In the case of questioned costs, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response.\n\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid.\nSecond, the OIG must determine that management\xe2\x80\x99s descriptions of (1) the course of action already taken or proposed and (2) the documentation\nconfirming completion of corrective actions are responsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions. The\ninformation for management decisions is based on management\xe2\x80\x99s written response to our report and subsequent discussions with management\nrepresentatives.\n\n\n\n\n                                                                          17\n\x0c                                                                                              Documentation That                   Management\n Rec.                                                                         Expected           Will Confirm          Monetary   Decision: Yes or\nNumber           Corrective Action: Taken or Planned/Status                Completion Date       Final Action          Benefits          No\n         PSB has developed procedures to enhance data integrity of\n         NFC-generated, PACT-generated, and employee award\n  1      transactions.                                                      July 23, 1999    DOA written procedures     None            Yes\n\n\n         PSB will develop written procedures requiring submitting\n         organizations to compare SF-52s submitted to PSB to SF-50s\n         received at the end of the process to ensure the accuracy and                                                                  Yes\n  2      consistency of the personnel actions processed and report the     August 15, 1999      PARS Directive          None\n         results to PSB.\n\n\n         The CHRIS subsystem, intended to replace PARS, will\n         incorporate the capability to track all changes to a personnel\n         action from the original request submitted by the requesting                         Completion of PARS\n  3                                                                          July 1, 2001                               None            Yes\n         organization to the final processed action.                                           portion of CHRIS\n\n\n         PSB will require a standard format for supporting SCD\n         calculations to be signed by the Personnel Assistant and by the                        DOA standardized\n  4      Personnel Specialist who reviewed it.                              August 1, 1999    information sheet and     None            Yes\n                                                                                                written procedures\n\n         PSB will review the duties of each employee on the Systems\n         Support Staff to identify those who do not need access to both\n  5      the Classification Review Option and the Review SF-52 option       August 1, 1999    PARS system tables        None            Yes\n         and modify the system tables to provide access to only those\n         employees who require such access to perform their duties.\n         PSB will reassign duties and/or revise PARS access privileges\n         so that individuals performing the control function of matching\n  6                                                                         August 1, 1999    PARS system tables        None            Yes\n         input documents with output documents are not provided the\n         ability to create, modify, or delete data.\n         Access to the NFC SINQ system for most of the individuals\n         outside of PSB has been revoked. A thorough review has been                         NFC reports on access\n  7                                                                         July 23, 1999                               None            Yes\n         made of the remaining individual accesses, and a request to                              privileges\n         revoke access was prepared and sent to the NFC.\n         Access to the NFC PACT system for most of the individuals\n         outside of PSB has been revoked. A thorough review has been                         NFC reports on access\n  8                                                                         July 23, 1999                               None            Yes\n         made of the remaining individual accesses and a request to                               privileges\n         revoke access was prepared and sent to the NFC.\n         A quarterly review of PARS and NFC access has been\n  9      established. DOA made modifications to existing PARS                July 23, 1999    Access reports on file    None            Yes\n         reports to show access information.\n\n\n\n                                                                              18\n\x0c"